The Enabling Technologies Blog

Our team of Cloud Strategy Advisors, Solution Architects, Engineers and former C-Suite Executives work diligently to provide our vistors with the most pressing information.

Mark Brezicky /

Azure AD Identity Governance – Privileged Identity Management

The next piece of Azure AD Identity Governance is Privileged Identity Management (PIM).  PIM allows you to configure “Just-in-time” access for Azure AD role groups and Azure resources to allow for temporary eligible access to privileged roles rather than permanently assigned.  Users will be required to activate their rights to perform administrative tasks, and those rights can be set to expire after a set period.  In addition, you can configure settings individual for each roleperform unique access reviews to govern the need for privileged assignments, and monitor the usage of each role.  

With Azure AD PIM, no user should be directly granted privileged rights.  All access grants should be configured and manage, by default, within PIM and as eligible.  The need for permanent rights should not exists…no need to have admin rights when we sleep.  You do sleep, right?  

This article will provide the requirements, administrative tasks, and end user experience for Azure AD PIM. 


Azure AD PIM has the following requirements and limitations: 

  • Azure AD Premium P2 licenses 
  • Roles to manage Azure AD PIM 
  • Global Administrator 
  • Privileged Identity Administrator 
  • All Azure AD and Azure Roles are supported.  You cannot manage classic subscription administrators including 
  • Account Administrator 
  • Service Administrator 
  • Co-Administrator 


Also, I recommend having at least a single (or two for larger enterprises) break glass emergency account to prevent lockouts from your environment.  


These are a few definitions to understand what Azure AD PIM is referencing:  

  • Just-in-time access: A method where a user receives temporary access for a specified period to perform their duties when they need to and access is automatically removed when time ends. 
  • ActivateProcess required to enable a role. 
  • Eligible: A role is assigned to a user, but not enabled.  The user needs to activate the role to enable it on their account 
  • Permanent: A role is assigned to a user and always enabled. 


Administrative Functions 

Let us look at what we can do with Azure AD PIM.  Azure AD PIM Admin portal is in Azure AD Identity Governance page, but it also has its own Azure site.  Either browse through Azure AD or search for it separately.  Once on the main page, go to Manage > Azure AD roles.  This will take you to our menu options under Manage.  However, the first place to start out is the Overview page.  Here you can get a graphical summary of the Azure AD PIM environment including:  

  • Role activations in the past week 
  • Role assignment distribution chart 
  • New PIM role assignments 
  • Alerts 
  • Assignment summary 

 Azure AD PIM Admin portal

To begin managing the roles, select Roles.  This will provide you will all the available Azure AD roles (or Azure resources).  From here you can click + Add assignments to select a role and add a user to it.   

Add Assignments

Or you can search or browse to the role you wish to manage.  You can see current role description as well as Active and Eligible assignments.   

Add Assignments

When selecting to Update a user, you can choose to assign either Eligible or Permanent type.  You also have the choice to set an end date on the assignment.  Selecting Permanent type requires a justification reason to be entered. 

membership settings

Back on the main page, Selecting Assignments brings you to an alternative view showing each user assignment.  You can perform the same tasks from this view. 

Selecting asignments

On the Alerts page, you will see any active alerts regarding your Azure AD PIM setup.  Selecting an alert will allow you see why the alert was triggered, how to fix it, and recommendations to prevent the alert from reoccurring. 

 Admin Alerts

You can configure the type of alerts to receive.  There are seven built-in alerts that are configurable such as Enable/Disable, timeframes, and percentages.  They vary per alert type. These alerts include:  

  • The organization doesn’t have Azure AD Premium P2 
  • Roles don’t require multi-factor authentication for activation 
  • Administrators aren’t using their privileged roles 
  • Roles are being activated too frequently 
  • Potential stale accounts in privileged role 
  • There are too many global administrators  

A recent addition to Azure AD PIM is Discovery and insights.  This replaced the previous Security Wizard.  This page will provide you with information to help get started with Azure AD PIM or a recurring review.    

You can view three crucial insights:  

  • Permanent Global Administrator assignments
  • Highly privileged role assignments 
  • Service Principals with role assignments.  

Selecting either one of these will allow you to either quickly make each user assignment eligible, remove assignment, or start an access review.  Service Principals only have remove assignment action. 


The final menu option is Settings.  The options available provide tremendous granularity for each privileged role.  This page shows all roles, whether they were modified, last update timestamp, and who last updated.  Each role can be individually configured for a variety of options. You can configure Activation settings, such as duration, MFA requirements, and approvals.  Assignment settings provide options to allow permanent or eligible assignments, expiration requirements, and MFA requirements.  Finally, you can configure how notifications are sent.  Each option is show below: 

Role Settings

End User Role Activation 

Users that have been granted eligible status for a role must activate that role assignment before performing any tasks.  To activate a role, go to the Privileged Identity Management portal and select Tasks > My Roles.  This will take you to the list of Azure AD Roles Eligible assignments.  Chose Activate on the role to activate. 

Azure AD roles

On the activation screen, you can select a custom activation time, Duration (up to maximum allowed), and, if required, enter a reason for activation.  Once complete, click Activate.    

If Azure MFA is required and you were not already prompted when signing into the Azure portal, you will be required to verify your identity via Azure MFA at this time.  If an approval is required, a message will be sent to the approvers to review the request.  Once approved, the role will be activated.  If no approval is required, the activation will proceed immediately. 

Activate Global Admin

Once activated, you can see the status of your assignment in Active assignments. 

Active Assignments

Privileged Access Groups 

The latest feature of Privileged Identity Management is Privileged Access Groups.  This allows you to create an Azure AD security group that is enabled for Azure AD Roles to be assign to the group.  With this logic, instead of assigning individual users to a privileged role, you would assign the privileged role to the group and provide the user Privileged Access membership rights.  From an end user perspective, the activation process is the same.  On the back end, instead of activating a role, Azure AD is adding the user to the Azure AD Security Group for the allotted time configured.  That group will already have the Privileged role assigned to the group, granting the rights to the user.  This allows for more granular group-based controls, just as stricter requirements via Conditional Access for certain groups.  

Our next, and final article in this series will cover the last component of Azure AD Identity Governance, Terms of Use.  Enabling Technologies can help you properly prepare for moving to the cloud based on Microsoft Best Practices and utilizing a secure and productive environment.  You can check out more in the Security section of our website. 

Work with our team of Cloud Computing Consultants who have done this so many times they know all of the “minefields” to prevent missteps.